Security tools are often hacked by malicious software operating on an infected computing device. An attacker may try to uninstall the security tool, bypass its protection mechanisms, or render it useless by removing portions of its required resources. In order to reduce the likelihood of such attacks, security tools may be utilized which include a protecting kernel resident module that guarantees the device integrity as well as the integrity of the system resources being utilized. However, an attacker who gained sufficient privileges (i.e., root or administrative depending on the operating system) can attack kernel modules as well.
Various security APIs implement a security channel to enable a ‘security virtual machine’, however, this approach does not provide protection against certain attacks, such as with respect to a guest virtual machine (VM). Also, hypervisor components are generally not included to assure protection of the guest VMs.
Certain previous approaches to implementing security measures include a number of guest OSs operating on one or more hypervisors. Such approaches focus on detecting errors in the running guest OSs, deciding whether the fault is local to a single OS or to others and selecting corrective actions accordingly. Such actions may include a restart of a single OS or a migration to a different hypervisor if the errors are reported from two or more guests, thus pointing to a fundamental problem (i.e. not local to a single OS).
Other approaches include a distributed and coordinated security system providing intrusion detection and prevention for virtual machines (VMs) operating in a virtual server. This may include passing a packet stream through an associated networking driver of a virtualization platform and filtering the packet stream in a security platform of the guest virtual machine. However, this approach fails to identify an attack on the guest OS or vulnerabilities exploited through legitimate traffic. The approaches to detecting removal of security agents operating on guest operating systems are limited in scope and could be potentially overcome by attackers seeking access to virtual resources.